def _is_removing_self_admin_role(self, request, project_id, user_id, available_roles, current_role_ids): is_current_user = user_id == request.user.id is_current_project = project_id == request.user.tenant_id _admin_roles = utils.get_admin_roles() available_admin_role_ids = [ role.id for role in available_roles if role.name.lower() in _admin_roles ] admin_roles = [ role for role in current_role_ids if role in available_admin_role_ids ] if len(admin_roles): removing_admin = any( [role in current_role_ids for role in admin_roles]) else: removing_admin = False if is_current_user and is_current_project and removing_admin: # Cannot remove "admin" role on current(admin) project msg = _('You cannot revoke your administrative privileges ' 'from the project you are currently logged into. ' 'Please switch to another project with ' 'administrative privileges or remove the ' 'administrative role manually via the CLI.') messages.warning(request, msg) return True else: return False
def _is_removing_self_admin_role(self, request, project_id, user_id, available_roles, current_role_ids): is_current_user = user_id == request.user.id is_current_project = project_id == request.user.tenant_id _admin_roles = utils.get_admin_roles() available_admin_role_ids = [role.id for role in available_roles if role.name.lower() in _admin_roles] admin_roles = [role for role in current_role_ids if role in available_admin_role_ids] if len(admin_roles): removing_admin = any([role in current_role_ids for role in admin_roles]) else: removing_admin = False if is_current_user and is_current_project and removing_admin: # Cannot remove "admin" role on current(admin) project msg = _('You cannot revoke your administrative privileges ' 'from the project you are currently logged into. ' 'Please switch to another project with ' 'administrative privileges or remove the ' 'administrative role manually via the CLI.') messages.warning(request, msg) return True else: return False
def is_superuser(self): """Evaluates whether this user has admin privileges. Returns ``True`` or ``False``. """ admin_roles = utils.get_admin_roles() user_roles = {role['name'].lower() for role in self.roles} return not admin_roles.isdisjoint(user_roles)
def test_get_admin_roles(self): admin_roles = utils.get_admin_roles() self.assertSetEqual({'foo', 'bar', 'admin'}, admin_roles)
def test_get_admin_roles_with_default_value(self): admin_roles = utils.get_admin_roles() self.assertSetEqual({'admin'}, admin_roles)
def _update_domain_members(self, request, domain_id, data): # update domain members users_to_modify = 0 # Project-user member step member_step = self.get_step(constants.DOMAIN_USER_MEMBER_SLUG) try: # Get our role options available_roles = api.keystone.role_list(request) # Get the users currently associated with this domain so we # can diff against it. users_roles = api.keystone.get_domain_users_roles(request, domain=domain_id) users_to_modify = len(users_roles) all_users = api.keystone.user_list(request, domain=domain_id) users_dict = {user.id: user.name for user in all_users} for user_id in users_roles.keys(): # Don't remove roles if the user isn't in the domain if user_id not in users_dict: users_to_modify -= 1 continue # Check if there have been any changes in the roles of # Existing domain members. current_role_ids = list(users_roles[user_id]) for role in available_roles: field_name = member_step.get_member_field_name(role.id) # Check if the user is in the list of users with this role. if user_id in data[field_name]: # Add it if necessary if role.id not in current_role_ids: # user role has changed api.keystone.add_domain_user_role(request, domain=domain_id, user=user_id, role=role.id) else: # User role is unchanged, so remove it from the # remaining roles list to avoid removing it later. index = current_role_ids.index(role.id) current_role_ids.pop(index) # Prevent admins from doing stupid things to themselves. is_current_user = user_id == request.user.id # TODO(lcheng) When Horizon moves to Domain scoped token for # invoking identity operation, replace this with: # domain_id == request.user.domain_id is_current_domain = True available_admin_role_ids = [ role.id for role in available_roles if role.name.lower() in utils.get_admin_roles() ] admin_role_ids = [ role for role in current_role_ids if role in available_admin_role_ids ] if len(admin_role_ids): removing_admin = any( [role in current_role_ids for role in admin_role_ids]) else: removing_admin = False if is_current_user and is_current_domain and removing_admin: # Cannot remove "admin" role on current(admin) domain msg = _('You cannot revoke your administrative privileges ' 'from the domain you are currently logged into. ' 'Please switch to another domain with ' 'administrative privileges or remove the ' 'administrative role manually via the CLI.') messages.warning(request, msg) # Otherwise go through and revoke any removed roles. else: for id_to_delete in current_role_ids: api.keystone.remove_domain_user_role(request, domain=domain_id, user=user_id, role=id_to_delete) users_to_modify -= 1 # Grant new roles on the domain. for role in available_roles: field_name = member_step.get_member_field_name(role.id) # Count how many users may be added for exception handling. users_to_modify += len(data[field_name]) for role in available_roles: users_added = 0 field_name = member_step.get_member_field_name(role.id) for user_id in data[field_name]: if user_id not in users_roles: api.keystone.add_domain_user_role(request, domain=domain_id, user=user_id, role=role.id) users_added += 1 users_to_modify -= users_added return True except Exception: exceptions.handle( request, _('Failed to modify %s project ' 'members and update domain groups.') % users_to_modify) return False
def _update_domain_members(self, request, domain_id, data): # update domain members users_to_modify = 0 # Project-user member step member_step = self.get_step(constants.DOMAIN_USER_MEMBER_SLUG) try: # Get our role options available_roles = api.keystone.role_list(request) # Get the users currently associated with this domain so we # can diff against it. users_roles = api.keystone.get_domain_users_roles(request, domain=domain_id) users_to_modify = len(users_roles) all_users = api.keystone.user_list(request, domain=domain_id) users_dict = {user.id: user.name for user in all_users} for user_id in users_roles.keys(): # Don't remove roles if the user isn't in the domain if user_id not in users_dict: users_to_modify -= 1 continue # Check if there have been any changes in the roles of # Existing domain members. current_role_ids = list(users_roles[user_id]) for role in available_roles: field_name = member_step.get_member_field_name(role.id) # Check if the user is in the list of users with this role. if user_id in data[field_name]: # Add it if necessary if role.id not in current_role_ids: # user role has changed api.keystone.add_domain_user_role( request, domain=domain_id, user=user_id, role=role.id) else: # User role is unchanged, so remove it from the # remaining roles list to avoid removing it later. index = current_role_ids.index(role.id) current_role_ids.pop(index) # Prevent admins from doing stupid things to themselves. is_current_user = user_id == request.user.id # TODO(lcheng) When Horizon moves to Domain scoped token for # invoking identity operation, replace this with: # domain_id == request.user.domain_id is_current_domain = True available_admin_role_ids = [ role.id for role in available_roles if role.name.lower() in utils.get_admin_roles() ] admin_role_ids = [role for role in current_role_ids if role in available_admin_role_ids] if len(admin_role_ids): removing_admin = any([role in current_role_ids for role in admin_role_ids]) else: removing_admin = False if is_current_user and is_current_domain and removing_admin: # Cannot remove "admin" role on current(admin) domain msg = _('You cannot revoke your administrative privileges ' 'from the domain you are currently logged into. ' 'Please switch to another domain with ' 'administrative privileges or remove the ' 'administrative role manually via the CLI.') messages.warning(request, msg) # Otherwise go through and revoke any removed roles. else: for id_to_delete in current_role_ids: api.keystone.remove_domain_user_role( request, domain=domain_id, user=user_id, role=id_to_delete) users_to_modify -= 1 # Grant new roles on the domain. for role in available_roles: field_name = member_step.get_member_field_name(role.id) # Count how many users may be added for exception handling. users_to_modify += len(data[field_name]) for role in available_roles: users_added = 0 field_name = member_step.get_member_field_name(role.id) for user_id in data[field_name]: if user_id not in users_roles: api.keystone.add_domain_user_role(request, domain=domain_id, user=user_id, role=role.id) users_added += 1 users_to_modify -= users_added return True except Exception: exceptions.handle(request, _('Failed to modify %s project ' 'members and update domain groups.') % users_to_modify) return False